Introduction to Modern Cryptography, Lecture 11

1) More about efficient computation: Montgomery arithmetic, efficient exponentiation2)Secret Sharing schemes

Montgomery Reduction

• Let m be a positive integer

• Let R and T be integers such that

, gcd( , ) 1, 0R m m R T mR The Montgomery reduction of of T modulo m with respect to R :

1 modTR m

Montgomery Reduction

• Typical use:

2log

2

(RSA modulus)

2

, gcd(R,m)=1

m

m

m pq

R

R m

T mR

Compute 5 mod

mod

x m

x xR m

Montgomery Reduction (cont.)

Compute 5 mod

mod

x m

x xR mMontgomery reduction of

2 2 1mod modx m x R mMontgomery reduction of

2 1 2 4 3( ) mod modx R m x R m Montgomery reduction of

2 1 2 5 4 5( ) mod mod modx R x m x R m x R m

22 mod mod modx m m x m

Let

Montegomery Reduction (cont)

• Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m

• This always leaves one extra “R”• Worthwhile if Montgomery reduction

is faster than simple modular reduction

Fact• Given m and R where gcd(m,R)=1, let 0

≤ T ≤ mR, then:1. (T + (-Tm-1 mod R) m)/R is an integer and2. (T + (-Tm-1 mod R) m)/R =TR-1 mod m.

2. T+ (-Tm-1 mod R) m = T mod m, (T+ (-Tm-1 mod R)m)/R mod m= TR-1 mod m

3. (-Tm-1 mod R) = T(-m-1 mod R) + kR, m(-m-1 mod R)=-1 + jR,

(T + (-Tm-1 mod R)m) / R = (T + (T (-m-1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km

More Facts

• As T < mR, and (-Tm-1 mod R) < R, then (T+ (-Tm-1 mod R) m)/R < (mR + mR)/R < 2m.

• Computing -TR-1 mod m can be done with two multiplications:– U = (-Tm-1 mod R) (if R = power of 2, mod R =

low order bits)– U m

• If R = power of 2, division = rightshift of high order bits for (T + Um)/R

Example

• m = 187, R=190, R-1 mod m = 125, m-1 mod R = 63, -m-1 mod R = 127

• T=563, -T m-1 mod R = 185, (T+(-T m-1 mod R) m)/R = 188 = (TR-1 mod m) + m

Homework Assignment 3 part 1

• Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32)

• Implement Montgomery reduction in Maple for 1024 bit modulii

• Implement Fiat-Shamir in Maple making use of Montgomery reduction

Exponentiation

• Base 2 left to right:

- To compute xe we compute - S=1- For i=1 to j

- S = S2

- If ei =1 then S=Sx,

1 2 je e e e

Worst case: j multiplications, j squares“Average case”: j/2 multiplications, j squares

Exponentiation

• Base 2 right to left:

- To compute xe we compute - A=x, S=1- For i=j downto 1

- If ei =1 then S=SA,

- A = A2

1 2 je e e e

Worst case: j multiplications, j squares“Average case”: j/2 multiplications, j squares

Exponentiation• Base b left to right:

- To compute xe we compute - S=1- For i=1 to j

- S = (…(((S2)2)2)…)2 S to the power 2b

- If ei ≠0 then

1 2 (base ), 0 1j ie e e e b e b

Worst case: 2b+j multiplications, jb = log2e sq“Average case”: 2b+j(2b-1)/2b multiplications, jb sq

ieS S x (precomputed)

For 1024 bit exponent, what is the optimal b?

For a log(e) bit exponent?

• log(e)+2b+log(e)/log(b) mults+squares– 2b=log(e)/log(b)– 2blog(b)=log(e)– b≈loglog(e)/c – log(e)+2b+log(e)/logloglog(e) =

log(e) + log(e)1/c + log(e)/logloglog(e) = log(e) + o(log(e))

Addition chains• Example: 1,2,3,4,7,10• A list of integers, starting at 1, where the

next element is the sum of two previous elements

• Addition chain of length 5 for 15:– 1,2,3,6,12,15 (don’t count the 1)

• To compute x15, the binary left to right exponentiation algorithm computes: x, x2, x3, x6, x7, x14, x15 (3 mults, 3 squares)

• The addition chain algorithm would compute x, x2, x3, x6, x12, x15 (2 mults, 3 squares)

• Finding the optimal addition chain is NP-Hard

• See algorithms in Knuth Volume 2, seminumerical algorithms

Addition chains (cont.)

• Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”)

• Binary left to right exponentiation: log(n) + wt(n)

• Base b left to right exponentiation, log(n)+2b+log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)

Fixed base exponentiation (E.g., ge mod p)

• Base b,• Precompute

for 1 log( ) / log( ) 1ibg i e b

0 1 (base ), 0 1t ie e e e b e b

0

ti

ii

e e b

1

0 1

ii i

i

jet be b b

i j e jg g g

Fixed base exponentiation (E.g., ge mod p)

0

ti

ii

e e b

1

0 1

ii i

i

jet be b b

i j e jg g g

Base b, number of multiplications islog(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))

New Subject: Secret Sharing

• Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret.

• Easy solution: split the secret into t random shares, and give to every subset of size t out of n.

• Every user gets shares1

1

n

t

Shamir’s threshold secret sharing scheme

• Choose a random polynomial over a finite field, of degree t-1, with p(0)=c0 equal to the secret.

• Give User j the value p(j)

• Any t users can reconstruct p(x) and compute p(0)

0

( )t

ii

i

p x c x

Generalized Secret Sharing

• P – a set of users• A – an access structure, a set of subsets

of P• Perfect secret sharing – the shares

corresponding to each unauthorized subset provide no information– H(S|B) = 0 for all B in A– H(S|B) = H(S) for all B not in A

• The information rate for a user is (size of shared secret)/(size of user share)

Generalized Secret Sharing• Theorem: In any perfect secret sharing

scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1.

• Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share.

• Secret sharing scheme for which the rate is 1 are called ideal.